IBM Support

Error configuring LDAP with SSL

Troubleshooting


Problem

We configured LDAP for the TDWC. When we select "Require SSL communctions" we received an error.

Symptom

CWWIM5020E Could not connect to the ldaps://test.ian.intranet:636 repository using properties:[port=636],[primary_host=test.ian.intranet],[bindDN=uid=tws_bind_t,ou=TWS,ou=operations,ou=Services,o=ibm],[certificateMapMode=exactdn],[sslConfiguration=],[sslEnabled=true],[connectTimeout=0],[id=IANRepository],[ldapServerType=SUNONE],[host=test.ian.intranet],[referal=ignore],[certificateFilter=],[bindPassword=****],[authentication=simple]

Cause

If the signer was already added to the local trust store then it is a likely problem with the revocation
setting. This property configures revocation checking for the Java Virtual Machine (JVM). This property is set to false by default because the default WebSphere certificates used for SSL communication do not contain certificate revocation list (CRL) distribution points or Online Certificate Status Protocol (OCSP) information.

When this setting is enabled, the JVM will attempt to check whether the certificate being used is revoked. The revocation status can be determined in a few different ways. If the status can not be determined
the certificate can't be used.

Diagnosing The Problem

You need to check that the eWAS is correctly set to false, as should be the SSL properties file :-

<TWA_Home>/eWAS/profiles/ITMProfile/properties/ssl.client.props

com.ibm.jsse2.checkRevocation=false
com.ibm.security.enableCRLDP=false

<TWA_Home>/eWAS/profiles/TIPProfile/config/cells/TIPCell/security.xml

name="com.ibm.jsse2.checkRevocation" value="false" required="false"

By default, this should be disabled.

Resolving The Problem

If the setting is true please change to false in this way :-


1. Stop eWAS
2. Back up ./eWAS/profiles/TIPProfile/config/cells/TIPCell/security.xml
3. Edit ./eWAS/profiles/TIPProfile/config/cells/TIPCell/security.xml
Change line :-
name="com.ibm.jsse2.checkRevocation" value="true"
to :-
name="com.ibm.jsse2.checkRevocation" value="false"
4. Restart eWAS
5. Test LDAP SSL

The setting can also be found / change in the admin console at :-

SSL certificate and key management > Trust managers > IbmPKIX > Custom properties

Further details about this are available on the link to our Websphere documentation.

Related Information

Certifcate Revocation Checking

[{"Product":{"code":"SSGSPN","label":"IBM Workload Scheduler"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Tivoli Dynamic Workload Console","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.6","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
29 September 2018

UID

swg21625248

Page Feedback